rfc1115.txt

RFC 的详细文档！

Network Working Group                                            J. Linn
Request for Comments:  1115                                          DEC
                                                  IAB Privacy Task Force
                                                             August 1989


           Privacy Enhancement for Internet Electronic Mail:
             Part III -- Algorithms, Modes, and Identifiers

STATUS OF THIS MEMO

   This RFC suggests a draft standard elective protocol for the Internet
   community, and requests discussion and suggestions for improvement.
   This RFC provides definitions, references, and citations for
   algorithms, usage modes, and associated identifiers used in RFC-1113
   and RFC-1114 in support of privacy-enhanced electronic mail.
   Distribution of this memo is unlimited.

ACKNOWLEDGMENT

   This RFC is the outgrowth of a series of IAB Privacy Task Force
   meetings and of internal working papers distributed for those
   meetings.  I would like to thank the following Privacy Task Force
   members and meeting guests for their comments and contributions at
   the meetings which led to the preparation of this RFC: David
   Balenson, Curt Barker, Jim Bidzos, Matt Bishop, Morrie Gasser, Russ
   Housley, Steve Kent (chairman), Dan Nessett, Mike Padlipsky, Rob
   Shirey, and Steve Wilbur.

Table of Contents

   1.  Executive Summary                                             2
   2.  Symmetric Encryption Algorithms and Modes                     2
   2.1.  DES Modes                                                   2
   2.1.1.  DES in ECB mode (DES-ECB)                                 2
   2.1.2.  DES in EDE mode (DES-EDE)                                 2
   2.1.3.  DES in CBC mode (DES-CBC)                                 3
   3.  Asymmetric Encryption Algorithms and Modes                    3
   3.1.  RSA                                                         3
   4.  Integrity Check Algorithms                                    3
   4.1.  Message Authentication Code (MAC)                           4
   4.2.  RSA-MD2 Message Digest Algorithm                            4
   4.2.1.  Discussion                                                4
   4.2.2.  Reference Implementation                                  5
   NOTES                                                             7






Linn                                                            [Page 1]

RFC 1115                Mail Privacy: Algorithms             August 1989


1.  Executive Summary

   This RFC provides definitions, references, and citations for algorithms,
   usage modes, and associated identifiers used in RFC-1113 and RFC-1114
   in support of privacy-enhanced electronic mail in the Internet
   community.  As some parts of this material are cited by both RFC-1113
   and RFC-1114, and as it is anticipated that some of the definitions
   herein may be changed, added, or replaced without affecting the citing
   RFCs, algorithm-specific material has been placed into this separate
   RFC.  The text is organized into three primary sections; dealing with
   symmetric encryption algorithms, asymmetric encryption algorithms, and
   integrity check algorithms.

2.  Symmetric Encryption Algorithms and Modes

   This section identifies alternative symmetric encryption algorithms
   and modes which may be used to encrypt DEKs, MICs, and message text,
   and assigns them character string identifiers to be incorporated in
   encapsulated header fields to indicate the choice of algorithm
   employed.  (Note: all alternatives presently defined in this category
   correspond to different usage modes of the DEA-1 (DES) algorithm,
   rather than to other algorithms per se.)

2.1.  DES Modes

   The Block Cipher Algorithm DEA-1, defined in ANSI X3.92-1981 [3] may
   be used for message text, DEKs, and MICs.  The DEA-1 is equivalent to
   the Data Encryption Standard (DES), as defined in FIPS PUB 46 [4].
   The ECB and CBC modes of operation of DEA-1 are defined in ISO IS 8372
   [5].

2.1.1.  DES in ECB mode (DES-ECB)

   The string "DES-ECB" indicates use of the DES algorithm in Electronic
   Codebook (ECB) mode.  This algorithm/mode combination is used for DEK
   and MIC encryption.

2.1.2.  DES in EDE mode (DES-EDE)

   The string "DES-EDE" indicates use of the DES algorithm in
   Encrypt-Decrypt-Encrypt (EDE) mode as defined by ANSI X9.17 [2] for
   key encryption and decryption with pairs of 64-bit keys.  This
   algorithm/mode combination is used for DEK and MIC encryption.








Linn                                                            [Page 2]

RFC 1115                Mail Privacy: Algorithms             August 1989


2.1.3.  DES in CBC mode (DES-CBC)

   The string "DES-CBC" indicates use of the DES algorithm in Cipher
   Block Chaining (CBC) mode.  This algorithm/mode combination is used
   for message text encryption only.  The CBC mode definition in IS 8372
   is equivalent to that provided in FIPS PUB 81 [6] and in ANSI X3.106-
   1983 [7].

3.  Asymmetric Encryption Algorithms and Modes

   This section identifies alternative asymmetric encryption algorithms and
   modes which may be used to encrypt DEKs and MICs, and assigns them
   character string identifiers to be incorporated in encapsulated
   header fields to indicate the choice of algorithm employed.  (Note:
   only one alternative is presently defined in this category.)

3.1.  RSA

   The string "RSA" indicates use of the RSA public-key encryption
   algorithm, as described in [8].  This algorithm is used for DEK and
   MIC encryption, in the following fashion: the product n of a
   individual's selected primes p and q is used as the modulus for the
   RSA encryption algorithm, comprising, for our purposes, the
   individual's public key.  A recipient's public key is used in
   conjunction with an associated public exponent (either 3 or 1+2**16)
   as identified in the recipient's certificate.

   When a MIC must be padded for RSA encryption, the MIC will be
   right-justified and padded on the left with zeroes.  This is also
   appropriate for padding of DEKs on singly-addressed messages, and for
   padding of DEKs on multi-addressed messages if and only if an exponent
   of 3 is used for no more than one recipient.  On multi-addressed
   messages in which an exponent of 3 is used for more than one recipient,
   it is recommended that a separate 64-bit pseudorandom quantity be
   generated for each recipient, in the same manner in which IVs are
   generated.  (Reference [9] discusses the rationale for this
   recommendation.)  At least one copy of the pseudorandom quantity should
   be included in the input to RSA encryption, placed to the left of the
   DEK.

4.  Integrity Check Algorithms

   This section identifies the alternative algorithms which may be used
   to compute Message Integrity Check (MIC) and Certificate Integrity
   Check (CIC) values, and assigns the algorithms character string
   identifiers for use in encapsulated header fields and within
   certificates to indicate the choice of algorithm employed.




Linn                                                            [Page 3]

RFC 1115                Mail Privacy: Algorithms             August 1989


   MIC algorithms which utilize DEA-1 cryptography are computed using a key
   which is a variant of the DEK used for message text encryption.  The
   variant is formed by modulo-2 addition of the hexadecimal quantity
   F0F0F0F0F0F0F0F0 to the encryption DEK.

   For compatibility with this specification, a privacy-enhanced mail
   implementation must be able to process both MAC (Section 2.1) and
   RSA-MD2 (Section 2.2) MICs on incoming messages.  It is a sender option
   whether MAC or RSA-MD2 is employed on an outbound message addressed to
   only one recipient.  However, use of MAC is strongly discouraged for
   messages sent to more than a single recipient.  The reason for this
   recommendation is that the use of MAC on multi-addressed mail fails to
   prevent other intended recipients from tampering with a message in a
   manner which preserves the message's appearance as an authentic message
   from the sender.  In other words, use of MAC on multi-addressed mail
   provides source authentication at the granularity of membership in the
   message's authorized address list (plus the sender) rather than at a
   finer (and more desirable) granularity authenticating the individual
   sender.

4.1.  Message Authentication Code (MAC)

   A message authentication code (MAC), denoted by the string "MAC", is
   computed using the DEA-1 algorithm in the fashion defined in FIPS PUB
   113 [1].  This algorithm is used only as a MIC algorithm, not as a CIC
   algorithm.

   As noted above, use of the MAC is not recommended for multicast
   messages, as it does not preserve authentication and integrity among
   individual recipients, i.e., it is not cryptographically strong enough
   for this purpose.  The message's canonically encoded text is padded at
   the end, per FIPS PUB 113, with zero-valued octets as needed in order to
   form an integral number of 8-octet encryption quanta.  These padding
   octets are inserted implicitly and are not transmitted with a message.
   The result of a MAC computation is a single 64-bit value.

4.2.  RSA-MD2 Message Digest Algorithm

4.2.1.  Discussion

   The RSA-MD2 Message Digest Algorithm, denoted by the string "RSA-MD2",
   is computed using an algorithm defined in this section.  It has been
   provided by Ron Rivest of RSA Data Security, Incorporated for use in
   support of privacy-enhanced electronic mail, free of licensing
   restrictions.  This algorithm should be used as a MIC algorithm
   whenever a message is addressed to multiple recipients.  It is also
   the only algorithm currently defined for use as CIC.  While its
   continued use as the standard CIC algorithm is anticipated, RSA-MD2



Linn                                                            [Page 4]